b"POSTAL REGULATORY COMMISSION\n  OFFICE OF INSPECTOR GENERAL\n\n\n\n\n    FINAL INSPECTION REPORT\n\nPOSTAL REGULATORY COMMISSION\xe2\x80\x99S\n         HANDLING OF\n    NONPUBLIC INFORMATION\n\n\n          Report# 10-01-A01\n            April 30, 2010\n\x0cHandling of Nonpublic Information                                                                                                    10-1-A01\n\n\n\n\nTable of Contents\n\n\nINTRODUCTION .....................................................................................................1\n\n          BACKGROUND .......................................................................................................1\n\n          OBJECTIVE, SCOPE AND METHODOLOGY ..............................................................1\n\nRESULTS ................................................................................................................2\n\n          STORAGE OF NONPUBLIC INFORMATION ...............................................................2\n\n          ESTABLISHING A \xe2\x80\x9cNEED-TO-KNOW\xe2\x80\x9d ....................................................................3\n\n          RECEIPT AND TRANSMISSION OF NONPUBLIC INFORMATION ................................3\n\n          TRAINING ..............................................................................................................4\n\n          INCIDENT REPORTING ...........................................................................................5\n\n\n\n\n                                                                      ii\n\x0cHandling of Nonpublic Information                                                          10-1-A01\n\n\n\nIntroduction\nBackground\nThis report presents the results of a review by the Postal Regulatory Commission Office of\nInspector General (PRC-OIG) of the PRC's procedures, policies and systems for handling\ninformation which is protected under 39 USC 504(g). PRC-OIG initiated this review in response\nto requests on January 26, 2010, from both Chairman Edolphus Towns of the U.S. House\nCommittee on Oversight and Government Reform and Chairman Ruth Goldway of the PRC.\nPRC-OIG was assisted in this review by the Inspections and Evaluations staff of the Treasury\nInspector General for Tax Administration.\n\nIn fulfilling its role in regulating and overseeing the United States Postal Service, PRC requires\nthe Postal Service to provide a wide range of information regarding its operations. Most filings\nwith the PRC are a matter of public record, and are posted on the PRC\xe2\x80\x99s website\n(http://www.prc.gov). However, the Postal Accountability and Enhancement Act of 2006 allows\nthe Postal Service to file certain types of information, including commercially sensitive\ninformation, under protective conditions.\n\nUnder 39 USC 504(g), the PRC is generally prohibited from disclosing this nonpublic\ninformation; however, outside parties in matters before the PRC may move for access to\nnonpublic information only for purposes of participating in the matter.\n\nOn April 27, 2010, we held an exit conference with PRC management in which we described this\nreview\xe2\x80\x99s findings and presented our recommendations.\n\nObjective, Scope and Methodology\n\nThe objective of this review was to evaluate the handling of nonpublic information and material\nreceived by the PRC, and to identify whether or not the controls in place are adequate enough to\nsafeguard the information from possible disclosure or unauthorized access.\n\n39 CFR Part 3007, Treatment of Non-Public Material Filed with the Commission, establishes\ncriteria for (1) treatment (non-disclosure) and use of nonpublic material,1 and (2) standardized\nrequests for access to nonpublic material. 2 However, it does not specify any particular\nrequirement for the physical protection of nonpublic information.\n\nThere are no government-wide standards for the storage and safeguarding of nonpublic\nproprietary information and, as a result, federal agencies have discretion over establishing their\nown standards. The PRC has not established its own detailed physical security standards.\nWhere PRC lacked specific guidelines, we compared the Commission\xe2\x80\x99s practices with the\nstandards of the Treasury Security Manual applicable to sensitive but unclassified materials.\n\n\n1\n    39 CFR Part 3007 \xc2\xa7 \xc2\xa7 3007.23 and 3007.25\n2\n    39 CFR Part 3007 \xc2\xa7 \xc2\xa7 \xc2\xa7 3007.40, 3007.50 and 3007.52\n\n                                                          1\n\x0cHandling of Nonpublic Information                                                         10-1-A01\n\n\nThe Treasury manual sets forth criteria for:\n\n      \xe2\x80\xa2    Storing of information and documents;\n      \xe2\x80\xa2    Establishing a \xe2\x80\x9cneed-to-know\xe2\x80\x9d before granting access to information;\n      \xe2\x80\xa2    Transmitting information via mail, courier, and/or electronic-mail;\n      \xe2\x80\xa2    Training personnel to recognize and safeguard information;\n      \xe2\x80\xa2    Destroying information; and\n      \xe2\x80\xa2    Incident reporting.\n\nWe conducted an on-site physical security review of the PRC\xe2\x80\x99s office spaces on April 1, 2010,\nand in order to identify standard operating procedures for handling nonpublic data, we performed\nfollow-up interviews with PRC personnel on April 6, 2010.\n\nThis review was conducted in accordance with the Quality Standards for Inspections developed\nby the President\xe2\x80\x99s Council on Integrity and Efficiency and adopted by the Council of Inspectors\nGeneral on Integrity and Efficiency.\n\nResults\nStorage of Nonpublic Information\nPer the Treasury Security Manual, storage of sensitive but unclassified information shall be, at a\nminimum, in a file cabinet, desk drawer, overhead storage bin, credenza, or similar locked\ncompartment. Sensitive but unclassified information may also be stored in a room or area with\nphysical access control measures affording adequate protection and preventing unauthorized\naccess by the public, visitors, or other persons without a need-to-know.\xe2\x80\x9d 3\n\nExcept when checked out by PRC staff, all nonpublic information and documentation that the\nPRC receives is stored in a docket room controlled by an electronic keypad lock with key\noverride. No other secondary security controls prohibit access to the docket room. Access to\neither the keycode or the override to enter this room is limited to six employees of the PRC\xe2\x80\x99s\nOffice of the Secretary and Administration.\n\nAside from a public reception area, all entrances to the PRC\xe2\x80\x99s offices are controlled by doors\nwith either magnetic or keyed locks. A receptionist logs all visits and prevents unescorted\nvisitors from entering PRC offices. In addition, public access to the building is limited during\nnon-business hours.\n\nThe PRC exceeds the minimum criteria for sensitive information established by the Treasury\nSecurity Manual, and has several satisfactory layers of physical control in place to reasonably\nprevent the unauthorized access and disclosure of nonpublic information in its possession.\n\nWe make no recommendations for improvement in this area.\n\n3\n    Department of Treasury Security Manual (TD P 15-71), Chapter III, Section 23.10(a)\n\n                                                          2\n\x0cHandling of Nonpublic Information                                                           10-1-A01\n\n\n\n\nEstablishing a \xe2\x80\x9cNeed-to-Know\xe2\x80\x9d\nAlongside setting physical controls, an important factor of safeguarding nonpublic information is\ndetermining an individual\xe2\x80\x99s \xe2\x80\x9cneed-to-know\xe2\x80\x9d before allowing access to the information. 4\n\nThe PRC, in accordance with 39 CFR Part 3007, established a procedural guide, Dockets\nProtected Materials Procedures, in order to establish standard operating procedures for the\ninternal and external receipt, dissemination, and return/destruction of nonpublic information and\ndocumentation in its possession. Per the procedural guide, \xe2\x80\x9cexternal reviewers wishing to access\nProtected Materials must first complete a \xe2\x80\x9ccertification of compliance with protective\nconditions,\xe2\x80\x9d which is attached to the Ruling granting protective conditions. That certification\nmust be filed in person or electronically in the appropriate docket via the PRC\xe2\x80\x99s filing online\nsystem. Upon receipt of the certification the external reviewers are required to wait until the\nthird day after filing the certification before they may access the materials under those protective\nconditions. Only the person who signed the certification may obtain the Protected Materials.\xe2\x80\x9d 5\nAccess to nonpublic materials by PRC staff is similarly limited.\n\nThe PRC has also established procedures requiring staff and outside parties to either return or\ncertify destruction of nonpublic materials at the conclusion of the matter for which access was\nprovided.\n\nNonpublic information received on electronic media such as Compact Discs is also copied onto\nan internal file server for use by PRC staff, as an alternative to making multiple CDs for all staff\nworking on a particular matter. Access is limited to staff with a need to know by use of file\npermissions. Per the PRC\xe2\x80\x99s IT staff, the file server is separated from the PRC\xe2\x80\x99s web server by a\nfirewall, and the Commission\xe2\x80\x99s internal servers can only be accessed by either workstations\nlocated at the PRC\xe2\x80\x99s offices, or by Virtual Private Network using valid user credentials.\n\nWe find that the PRC has satisfactory standards in place in order to reasonably limit access to\nnonpublic information to those with a need to know.\n\nWe make no recommendations for improvement in this area.\n\nReceipt and Transmission of Nonpublic Information\nThe PRC has established specific standards regarding the receipt and transmission of nonpublic\ninformation. Per 39 CFR \xc2\xa7 3007.10, \xe2\x80\x9cnon-public material shall not be filed electronically\npursuant to \xc2\xa7 3001.9, but shall be filed in sealed envelopes clearly marked \xe2\x80\x98Confidential. Do\nNot Post to Web.\xe2\x80\x99 The person filing the non-public materials shall submit two copies consisting,\nwhere practicable, of two paper hard copies as well as two copies in easily usable electronic\nform.\xe2\x80\x9d The PRC\xe2\x80\x99s Dockets Protected Materials Procedures guide establishes further criteria for\nthe internal and external receipt, dissemination, and return/destruction of all nonpublic\ninformation and documentation in its possession, specifically:\n4\n    Department of Treasury Security Manual (TD P 15-71), Chapter III, Section 1.3\n5\n    Dockets Protected Materials Procedure, undated\n\n                                                          3\n\x0cHandling of Nonpublic Information                                                           10-1-A01\n\n\n\n\n      \xe2\x80\xa2    Protected materials may not be transmitted by any electronic medium;\n      \xe2\x80\xa2    Documents may not be distributed, only checked out by authorized individuals;\n      \xe2\x80\xa2    Dockets staff will inform reviewers that copies may not be made of Protected Materials;\n           and\n      \xe2\x80\xa2    Protected Materials may be shipped to reviewers outside the Washington, DC area if they\n           have a completed certification (\xe2\x80\x9ccertification of compliance with protective conditions\xe2\x80\x9d)\n           on file with the PRC and they pay the applicable postage. Documents must be forwarded\n           via registered mail, return receipt requested.\n\nWe find that the PRC has satisfactory standards in place in order to reasonably prevent the\nunauthorized access and disclosure of the nonpublic information as it is being transmitted or\nreceived.\n\nWe make no recommendations for improvement in this area.\n\nTraining\nPer the Treasury Security Manual, \xe2\x80\x9csupervisors and program managers are responsible for\nemployees being trained to recognize and safeguard sensitive but unclassified information\nsupporting their mission, operations and assets. Supervisors and managers shall also ensure an\nadequate level of education and awareness is maintained by affected employees. Education and\nawareness shall begin upon initial employee assignment and annually reinforced through\nmandatory training, staff meetings or other methods/media contributing to an informed\nworkforce.\xe2\x80\x9d 6\n\nThe PRC provides no formal training to educate staff members on adequately safeguarding non-\npublic information in their personal possession. Instead, Management provides an informal oral\n\xe2\x80\x9coverview\xe2\x80\x9d of adequate safeguarding and relies on the supervisors to enforce procedure for\nsafeguarding nonpublic information filed with the PRC.\n\nWe recommend that the PRC:\n\n1.        Develop a more comprehensive, formal training program in order to remind PRC staff of\n          the security requirements for safeguarding nonpublic information.\n\nPRC management committed to implementing this recommendation at our April 27, 2010, exit\nconference.\n\n\n\n\n6\n    Department of Treasury Security Manual (TD P 15-71), Chapter III, Section 23.6\n\n                                                         4\n\x0cHandling of Nonpublic Information                                                           10-1-A01\n\n\nIncident Reporting\nPer the Treasury Security Manual, employees or contractors shall notify their supervisor once\nthey \xe2\x80\x9cbecome aware of the loss, compromise, suspected compromise, or unauthorized disclosure\nof sensitive but unclassified information no later than the next business day\xe2\x80\x9d and \xe2\x80\x9cnotification to\nappropriate officials shall be made without delay when the disclosure or compromise could\nresult in physical harm to an individual or compromise an unclassified plan or on-going\noperation.\xe2\x80\x9d 7 The security official, or designee, is required to conduct an inquiry to determine the\ndetails and prepare a report including the following:\n\n      \xe2\x80\xa2    Whether or not an incident actually occurred. If there was no loss, compromise, or\n           unauthorized disclosure, the security official shall so state;\n      \xe2\x80\xa2    The responsible person(s);\n      \xe2\x80\xa2    The cause of the incident;\n      \xe2\x80\xa2    Actions taken to minimize damage or neutralize the potential for further compromise;\n      \xe2\x80\xa2    Recommendations that can be implemented to prevent recurrence of similar incidents;\n      \xe2\x80\xa2    The estimated impact; and\n      \xe2\x80\xa2    Any action taken or planned, including training, to prevent recurrence. 8\n\nThe PRC does not have a formal procedure for reporting alleged compromises of nonpublic\ninformation.\n\nWe recommend that the PRC:\n\n2.        Develop a method for reporting incidents where a possible compromise of nonpublic\n          information occurs. In developing this plan, the PRC should consider provisions to ensure\n          affected parties are notified, that the cause is determined, and that plans are made to\n          prevent recurrence.\n\nPRC management committed to implementing this recommendation at our April 27, 2010 exit\nconference.\n\n\n\n\n7\n    Department of Treasury Security Manual (TD P 15-71), Chapter III, Section 23.14(a)\n8\n    Department of Treasury Security Manual (TD P 15-71), Chapter III, Section 23.14(b)\n\n                                                         5\n\x0c"